Reporting

How do I use a saved search result as a search command?

hunderliggur
Path Finder

I need to create a search string on a daily basis that is made up of a source file name that is found in a search that meets certain criteria. (a fairly complex search, rex, filtering, etc.)

The result is a valid Splunk SPL search string (you can clip the result and run it in a search bar and it works fine). What I would like to do is save the "creator search" as a saved search and then schedule it to run daily. I will then have another search that I want to execute later which will use the result of the saved search as the search itself. Is this possible?

The saved search is something like this (to find the latest source file that meets some complex criteria)

| tstats count where index=blah sourcetype=mySpecialCase by source
| rex field=source "."_special_(?<date>[\\d]+)"
| eventstats max(date) as current
|where date=current
| strcat "index=blah source=" source " " special_where_clause
| eval mySpecialSearch = "| tstats count as bigNumbers where (".special_where_clause.") by UUID"
| table mySpecialSearch

The result would be something like:

| tstats count as bigNumbers where (index=blah source=/data/input/feed1/special_data_20181010.json) by UUID

At some other time (later), I would like to execute that result as a search itself

| savedsearch nosubstitution-true "My Saved Search" 

But I would like it to literally execute the SPL that is the result of the saved search.

Is this possible from SPL or do I need to use a REST call and pass the search result in as the search?

Note: If I could do the source substitution in the original search and just execute it from there that would be fine also, although the full search is over a longer time period than the source lookup search (which is typically a 24 hour search).

0 Karma
1 Solution

maciep
Champion

I think you can do this one search, using a subsearch or 2. Maybe like this:

| tstats count as bigNumbers where index=blah [ 
  | tstats count where index=blah sourcetype=mySpecialCase [ 
    | makeresults
    | eval earliest=strftime(relative_time(now,"-24h"),"%m/%d/%Y:%H:%M:%S")
    | return earliest
  ] by source
  | rex field=source "."_special_(?<date>[\\d]+)"
  | eventstats max(date) as current
  | return source
] by UUID

The outer search is the one that you want to run. Since your index seems to be static, i hard-coded it there. But it uses a subsearch to add the source condition to the where clause.

The next search is the one that finds the source that you want. But since you want it to run over the past 24 hours (instead of whatever the timepicker would be), there's another subsearch. That one just does a "fake" search so that we can pass back an earliest field set to 24 hours ago, which is then added to your where clause right after the sourcetype condition.

And since this is just a subsearch now, we don't have to build that whole search. Instead, we just want to return the source field. So that source will be added the outer search which will finally run and hopefully provide the results you want.

Obviously, I can't test with your data, but it's probably close to what you'd...or hopefully at least gives you some more ideas.

View solution in original post

mstjohn_splunk
Splunk Employee
Splunk Employee

hi @hunderliggur,

Did the answer below solve your problem? If so, please resolve this post by approving it! If your problem is still not solved, keep us updated so that someone else can help ya. Thanks for posting!

hunderliggur
Path Finder

I implemented basically what you suggested - a subsearch for the criteria which works well. I took it a step further and added two map searches to then use the results of the first search for the next two stages of the processing pipeline. I did have to increase my subsearch timeouts since our data sets are quite large.

maciep
Champion

I think you can do this one search, using a subsearch or 2. Maybe like this:

| tstats count as bigNumbers where index=blah [ 
  | tstats count where index=blah sourcetype=mySpecialCase [ 
    | makeresults
    | eval earliest=strftime(relative_time(now,"-24h"),"%m/%d/%Y:%H:%M:%S")
    | return earliest
  ] by source
  | rex field=source "."_special_(?<date>[\\d]+)"
  | eventstats max(date) as current
  | return source
] by UUID

The outer search is the one that you want to run. Since your index seems to be static, i hard-coded it there. But it uses a subsearch to add the source condition to the where clause.

The next search is the one that finds the source that you want. But since you want it to run over the past 24 hours (instead of whatever the timepicker would be), there's another subsearch. That one just does a "fake" search so that we can pass back an earliest field set to 24 hours ago, which is then added to your where clause right after the sourcetype condition.

And since this is just a subsearch now, we don't have to build that whole search. Instead, we just want to return the source field. So that source will be added the outer search which will finally run and hopefully provide the results you want.

Obviously, I can't test with your data, but it's probably close to what you'd...or hopefully at least gives you some more ideas.

maciep
Champion

side note/heads up...there's seems to be a quote issue in your rex command (i just copied it from your post)...not sure if another is needed, one should be removed, maybe replaced, etc.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...